[cabfpub] SHA-1 exception request
Dean Coclin
Dean_Coclin at symantec.com
Wed Oct 12 16:10:25 UTC 2016
Responses from First Data posted below to Andrew Ayer's comments:
> Most of these merchants simply need a software update. If devices
> cannot be upgraded the POS vendor will need to provide a new device or
> application.
How many of the 300,000 terminals simply need a software update?
What does the merchant need to do to apply the software update?
[First Data] We estimate that roughly 70% of the population use terminal
type POS systems and 30% are using PC/Unix/Java based POS systems.
Part of the burst upgrade exercise will be to obtain a greater level of
detail.
First Data managed terminal POS systems have SHA-256 updates available and
we expect our burst upgrade initiative to prompt merchants to obtain the
necessary updates in cases where we could not force the download.
The PC/Unix/Java devices outside of First Data's control may require POS
vendors to conduct software or security updates.
There are cases where a new terminal/POS device will be required because
they cannot support SHA-256. This is reason for concern as clients will need
time to order, receive, test and install these new devices which is why we
are asking for the extension.
> The POS provider is required maintain PCI compliance of their device.
> If a known vulnerability were to be detected we would of course take
> appropriate action.
What would that action be?
[First Data] Depending of the severity of the vulnerability First Data would
deactivate the device(s).
If the vulnerability does not carry severe risk, we would attempt to contact
the merchant(s) and/or vendors and drive them to replace the POS system.
If merchants needed to apply a security update to address a vulnerability,
how would you communicate the need to update to merchants? How long would
merchants have to update? What would you do if some merchants had not
updated by the deadline?
[First Data] Again it depends on the severity. Our IT Risk and Security
teams that audit our network provide guidance and remediation timeframes.
Where we own control we can proactively force updates to capable devices
and/or communicate with our clients to obtain the necessary updates by the
deadline.
Where we do not have control, we can notify the POS vendor and client of
the compliance deadline and deactivate those who do not comply.
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Andrew Ayer
via Public
Sent: Monday, October 10, 2016 11:35 AM
To: public at cabforum.org
Subject: Re: [cabfpub] SHA-1 exception request
Questions for First Data:
> Most of these merchants simply need a software update. If devices
> cannot be upgraded the POS vendor will need to provide a new device or
> application.
How many of the 300,000 terminals simply need a software update?
What does the merchant need to do to apply the software update?
> The POS provider is required maintain PCI compliance of their device.
> If a known vulnerability were to be detected we would of course take
> appropriate action.
What would that action be?
If merchants needed to apply a security update to address a vulnerability,
how would you communicate the need to update to merchants? How long would
merchants have to update? What would you do if some merchants had not
updated by the deadline?
Regards,
Andrew
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161012/2b0bb336/attachment-0001.p7s>
More information about the Public
mailing list